Overview

overview

10

Static

static

10

da044c033d...59.exe

windows7-x64

10

da044c033d...59.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2024 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da044c033d375095443875b680b1de847b251d30e55e68fb8e3735c25286bb59.exe

  • Size

    829KB

  • MD5

    cbadabd5f33ef27c7859a83fc1a2c973

  • SHA1

    a155b4f7e2df225012b3f416ac13c2aab696f240

  • SHA256

    da044c033d375095443875b680b1de847b251d30e55e68fb8e3735c25286bb59

  • SHA512

    bf87a61b9a65f9c42d3bcf057ba08b328dffad7b50a49a34806a66585411849f4335336932fbfa88ec422995b394bbc4f4c326f6b9b0a4c0e28d8054057a8972

  • SSDEEP

    24576:/8snXXpIYvwMS2AKO99fP7NvujxVMzMx:/8s1vmvM

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\da044c033d375095443875b680b1de847b251d30e55e68fb8e3735c25286bb59.exe
    "C:\Users\Admin\AppData\Local\Temp\da044c033d375095443875b680b1de847b251d30e55e68fb8e3735c25286bb59.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qkHk1eR75Z.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:5076
        • C:\Recovery\WindowsRE\dllhost.exe
          "C:\Recovery\WindowsRE\dllhost.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\PackageManifests\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2940
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:732
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2620
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4756
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2416
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1740
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1520
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1284
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:860
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3340

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe
      Filesize

      829KB

      MD5

      cbadabd5f33ef27c7859a83fc1a2c973

      SHA1

      a155b4f7e2df225012b3f416ac13c2aab696f240

      SHA256

      da044c033d375095443875b680b1de847b251d30e55e68fb8e3735c25286bb59

      SHA512

      bf87a61b9a65f9c42d3bcf057ba08b328dffad7b50a49a34806a66585411849f4335336932fbfa88ec422995b394bbc4f4c326f6b9b0a4c0e28d8054057a8972

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\qkHk1eR75Z.bat
      Filesize

      198B

      MD5

      abfe00b68820001c118ec7e1af9c435c

      SHA1

      7a8b450be12ddd6abfd5372862e7df1db9856091

      SHA256

      e8ee971e872d4a5cf321bbf3741bcadd07c437d8a43bc5905194390c985e7eb6

      SHA512

      87afee4ee393a592e7edc87be1f9cc5e361d846c91af22a0f851957682d315ef1f2ead5c275852ce85b32e6f39eda5c9e7594b40d04fe2a3b8b8a8f2028f3fd7

      Download Submit

    • memory/3128-0-0x00007FF96A283000-0x00007FF96A285000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3128-1-0x0000000000750000-0x0000000000826000-memory.dmp

      Filesize

      856KB

      Download

    • memory/3128-4-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3128-21-0x00007FF96A280000-0x00007FF96AD41000-memory.dmp

      Filesize

      10.8MB

      Download